User Tools

Site Tools

Table of Contents

Firewall

We decided to go with Shorewall, which is relatively popular. It also has the advantage that we don't need to provide the IP addresses of the system – it determines them dynamically. So when we change IP addresses, we don't have to re-configure the firewall.

Requirements

All we want from the firewall is basic host protection. (We don't do any routing, so we don't need to worry about packets going through the system.) We want to allow all outbound connections, and allow inbound connections to only the following ports:

22 – SSH

53 – DNS (UDP and TCP)

80 – HTTP

123 – NTP (UDP)

443 – HTTPS

Installation

Install shorewall (and its documentation):

sudoapt-get-yinstall shorewall shorewall-doc

Configuration

In /etc/default/shorewall, set shorewall to run by changing the startup line: